It has been a difficult first week back to teach online. As has been my practice for about a year, I begin each course at the University of Washington with a single slide that encapsulates the latest information I have on the pandemic. To that, I added an introduction to the SolarWinds data breach for my emerging cyber topics course on Monday. On Thursday, I created several slides on the invasion of the U.S. Capitol on January 6th for my information ethics, policy and law course, where we had started with an examination of the foundations of our government, including its seminal documents: the Declaration of Independence, the Constitution, and the Bill of Rights.
The Pandemic
Any risk analyst would advise you that the numbers are going in the wrong direction. What we have now in terms of infections and deaths is the worst-case instance of the magnitude x frequency model. The holidays brought out our most sentimental behavior, and we will continue to see consequences from family gatherings. At the same time, state governments are having a hard time deploying the vaccine that they have received. I know that the Biden-Trump transition teams are working on better solutions than we have right now for vaccinating people; and that badly needed funds for testing and vaccination cannot be far away. I look forward to better working relationships between the federal government and the states who have shouldered the burden of decision making and reallocation of their existing revenues.
The Solar Winds Breach
If there were ever a clear illustration of how the government and the private sector are inextricably bound together, it would be with this breach. The pandemic magnifies fissures in our critical infrastructure. Personnel in both the government and private sector are mostly working from home, which might help explain how the breach activity went undetected since last October. In addition to remote government operations, agencies responsible for defense or nuclear power or homeland security have been hollowed out, with political appointees running the organizations. It was a private sector company, FireEye, that detected the supply chain hack, conducted through an alleged software update from the company SolarWinds, a cybersecurity tools provider with contracts with many parts of the government as well as with Fortune 500 companies. According to my colleague Sean S. Costigan,
“Since the SolarWinds attack affected so many Fortune 500 companies, including critical infrastructure entities, once noticed it was bound to become public. It is a matter of conjecture as to whether the perpetrators cared about what collateral damage they caused to industry and government entities that were less likely to be targets of interest. According to SolarWinds, at present count over 18,000 of its 300,000 customers installed the malware. It is hard to understate the scale since SolarWinds counts the Office of the President of the United States, the Department of Defense, the NSA, Visa, Mastercard, Harvard, Subaru, Volvo, Lockheed Martin, Cisco, The New York Times and thousands more major organizations among their customers.” (Diplomatic Courier, January 4, 2021)
From signatures, the hackers are assumed to be from the Russian intelligence agency, SVR. By attacking from inside the United States, the Russians exploited the limits on the authority of the National Security Agency (NSA), which cannot enter or defend private sector networks. Note that the assessment of impact is not yet complete, but there is no doubt that the Russians gained information that is particularly troubling, given the peaceful transfer of presidential power we expect to undergo on January 20th. At this time, we do not know if SVR’s intent was simple espionage or rather the installation of back doors into prime strike sites that could include the electrical grid, nuclear power plants, labs that are developing new versions of nuclear weapons, and so on.
Insurrection at the U.S. Capitol
Much has already been written about this event and its causes. Along with colleagues, I’ve been looking at white supremacist/fringe conspiracy theory groups like the KKK, Proud Boys and Qanon for years, and so has the FBI. Until 2015 when Trump was campaigning, most of these groups had communicated among themselves. Spurred on and encouraged by the current president, such groups have gone mainstream and represent a very real threat to our way of government. The mob that broke into the U.S. Capitol on January 6th had arrived there directly after being provocatively addressed by President Trump. “Incitement to insurrection” is the charge that will most probably be leveled in a new bill of impeachment being prepared for the House of Representatives to vote on early this week. In the meantime, the FBI is not only overseeing the investigation of the lack of preparedness of Capitol Police, but also the apprehension of those who breached the building caused property damage and whose activities ultimately resulted in at least five deaths – including the death of a police officer who was hit over the head with a fire extinguisher, and perhaps another officer as well. Some participants were there to find Vice President Pence and do him harm, with a noose at the ready. Some shouted that they were there to take back their country, not just prevent the Congress from approving the electoral college votes that certified the election of a new president. It was hard to miss the paramilitary types complete with weapons urging everyone on or the presumably off- duty police officers who were part of the mob.
We can say that we don’t recognize this behavior, or that this is not the America we know, but that is avoidance of several fundamental questions. The work ahead is wide and deep: so many believe in a demagogue, suck up his aggrieved misinformation, and distrust the government. Though this event may have caused some elected officials to rethink their loyalty to Trump, it is not enough. There are already mainstream calls for the mob to return to Washington D.C. or to their own state capitols between January 17 and January 20. Do we want to live in an armed standoff for the next four years, even as we try to deal with the greatest public health threat and the greatest cyber hack that the country has ever known?
A More Perfect Union
The title of my column comes from the preamble to the U.S. Constitution, signed in 1787.
“We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”
I believe that these aims are viable, though they are still in progress. The mobsters would like you to believe that they understand patriotism better than you do, that the time has come to overthrow our current form of government. Though our form of government has become misshapen and weakened by the current president, I am confident that we are heading for a better time, when it will be possible to sort facts from intentional misinformation, when citizens will be better informed about real risks to our public health, to our critical infrastructure, and to our government.
Originally Published in ASA News & Notes January 11, 2021
Annie Searle
Searle is an Associate Teaching Professor Emeritus at the University of Washington. She is founder and principal of ASA Risk Consultants, a Seattle-based advisory firm. She spent 10 years at Washington Mutual Bank, most of them as a senior executive. Annie is a member of the CISA 10 Regional Infrastructure Security Group. She was an inaugural inductee in 2011 into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management. She writes a column monthly for ASA News & Notes and is the author of several books or book chapters. She is also a member of the emeritus board of directors for the Seattle Public Library Foundation.